Securing private data comes up every week at Echobind. For us, this usually involves safeguarding patient data, but it’s equally important whether the application we’re developing is a monolith for a start up or many microservices and third party integrations for a large manufacturer.
Most developers would look at these individual recommendations as common sense, but that’s exactly the problem. With so much to consider when developing a new app, it’s easy to focus on the hard problems and forget about the seemingly easy issues.
To combat this, we’ve invested time in creating internal checklists for our team. Our goal is to make sure our team consistently performs at a high level. When we encounter an issue that we haven’t seen before, we learn from it and our checklist becomes better.
Here’s ten questions that made it to our list this year. We feel all organizations looking to protect data should consider these when building a new application.
- How will users authenticate? Are we leveraging a secure system that already exists today or building one from scratch?
- Can users enable two factor authentication? Will certain applications enforce 2FA? Does 2FA have a backup scenario if email or SMS capabilities are offline?
- Are communications to users secure? Do you know which columns in your database contain personal information? Is there a check to ensure your app isn’t leaking personally identifiable information?
- How many roles exist? Are separate roles for users and administrators provided? Is the ability to add a new role after the application is developed challenging?
- How will data be entered into the system for the first time? Will data need to be converted from another application?
- How are compliance events being tracked? Is audit logging in place and tied to individuals accessing the system?
- Are application documents being shared? Are we sharing the data flow diagram, the system architecture and any technical requirements with internal and external stakeholders? Does the diagram show when and where data is encrypted?
- Is there a written policy for handling, storing and disposing of private information? Is a delete a soft or hard delete? What about social security numbers and other sensitive information? What do local laws stipulate regarding storing and archiving of data?
- How will future risk assessments take place? Who is in charge of adding new features and maintaining security patches? Are individuals managing the system tested regularly for their adherence to compliance?
- Where will the application be hosted? If a healthcare organization is hosting information offsite, is the hosting provider willing to sign a BAA?
If you considering building a new application or need help with one that’s in development, shoot us a note. We’re always happy to hop on the phone and talk through how we would tackle a challenge and our company process.